CN101895551A - Resource access control method and system - Google Patents
Resource access control method and system Download PDFInfo
- Publication number
- CN101895551A CN101895551A CN2010102336926A CN201010233692A CN101895551A CN 101895551 A CN101895551 A CN 101895551A CN 2010102336926 A CN2010102336926 A CN 2010102336926A CN 201010233692 A CN201010233692 A CN 201010233692A CN 101895551 A CN101895551 A CN 101895551A
- Authority
- CN
- China
- Prior art keywords
- resource
- user
- function
- access control
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a resource access control method. The method comprises the following steps of: resource management, rights management and rights decision, wherein the resource management step is used for dividing resources into a plurality of resource groups; the rights management step is used for distributing rights to a user; the rights consist of a duty and a management domain; the duty is a set of functions and represents the operation on accessed resources which is performed by the user; the management domain is a set of the resource groups and represents the range of the resources which can be accessed by the user; and the rights decision step is used for controlling access according to the rights of the user when the user accesses the resources. In the method, the functions are not fixed, and each service subsystem can dynamically add functions through function registry and can automatically add group labels into resource derived objects, so that the method can perform effective access control on a large number of the resource derived objects in the aspects of functions and resources. The invention also provides a corresponding resource access control system.
Description
Technical field
The invention belongs to field of information security technology, relate in particular to a kind of resource access control method and system.
Background technology
Access control (Access Control) is the core content of security assurance information mechanism, and it is the main means that realize data security and integrity mechanism.Access control: be meant restriction, thereby system is used in legal range to the authority or the ability of principal access object; Access control mechanisms determines the user and represents the program of certain user benefit what can be done, and accomplishes what degree.Along with the propelling of ITization, the data of some system managements or use are more and more, and all add up with necessarily magnitude in number every day and preserve, and can't carry out resource level mandate and access control to the data of this magnitude usually.Such mass data is also referred to as mass data.
According to the difference of access control policy, more typical at present access control mechanisms has:
1, DAC (Discretionary Access Control, autonomous access control is called random access control again) is to realize maximum access control mechanisms in the present computer system.This mechanism allows the object of validated user with the identity access strategy regulation of user or user's group, stops unauthorized user visit object simultaneously.
2, MAC (Mandatory Access Control, Mandatory Access Control Model), begin most in order to realize the access control policy more stricter than DAC, the U.S. government and the military have developed various controlling models, and these schemes or model all have fairly perfect and detailed definition.Form the model of forcing visit subsequently gradually, and obtain wide range of commercial concern and application.Forcing access control is with the subject and object classification, and the rank mark according to subject and object decides access module then.So-called " pressure access control ", be meant that visit takes place before, can access control system decide the main body with object of his desirable mode access by the security attribute of subject and object relatively." pressure " system that is mainly reflected in forces main body to be obeyed on the access control policy.If system thinks that some users are not suitable for visiting certain file, so anyone (comprising the file owner) all can't make this user have the visit this document right.
3, RBAC (Role-Based Access Control, access control based on the role), it is a kind of non-autonomous access control mechanisms, access permission power is distributed to certain role, the user obtains the access permission power that the role has by playing different roles, the user " does not have " object of being visited, and the user can not at random authorize other users with one's own access rights.
Above access control method, all inapplicable to mandate and the authentication of handling mass data.
In the prior art, many access control systems that relate to mass data have been abandoned the rights management of data, only module are carried out rights management.This is because the data of big data quantity resource level have been brought higher complexity to mandate, authentication on the one hand, because the authentication overlong time influences user experience, increases the enterprise operation cost on the other hand.But only realize access control, abandoned a part of safety guarantee of user undoubtedly, brought great hidden danger at functional level.
Summary of the invention
The technical problem to be solved in the present invention is at the defective that exists in the prior art, and a kind of resource access control method and system are provided, can be to the mass data control that conducts interviews effectively.
In order to solve the problems of the technologies described above, resource access control method of the present invention comprises the steps:
Resource management step, this step are used for resource is divided into n resource group, and wherein n is a natural number;
Rights management step, this step are used for giving the user who carries out resource access with right assignment; A described authority is made up of a responsibility and a management domain; Wherein, described responsibility is the set of function, and which kind of operation the expression user can carry out to accessed resources; Described management domain is the set of described resource group, the scope that the expression user can accessed resources;
Authority steps in decision-making, this step are used for when user access resources, according to the described authority that this user is assigned with, this user's visit are controlled.
Further, described resource group is with the tree tissue.
Further, in the described rights management step, a user can be assigned with more than one described authority.
Further, the inventive method also comprises the management domain switch step, and this step is used for managing the switching in territory when the user need visit different management domains.
In order to solve the problems of the technologies described above, resource access control system of the present invention comprises:
Resource management module, this module are used for resource is divided into n resource group, and wherein n is a natural number;
Authority management module, this module are used for giving the user who carries out resource access with right assignment; A described authority is made up of a responsibility and a management domain; Wherein, described responsibility is the set of function, and which kind of operation the expression user can carry out to accessed resources; Described management domain is the set of described resource group, the scope that the expression user can accessed resources;
Authority decision-making module, this module are used for when user access resources, according to the described authority that this user is assigned with, this user's visit are controlled.
Further, described resource comprises the object of deriving of source material and source material.
Further, described resource management module also is used for, and the object of deriving for the described source material of new generation according to predefined new resources grouping strategy, adds it in corresponding described resource group.
Further, described function refers to the function that each operation system is registered on described resource access control system.
Further, described function comprises Function Identification, feature path and function apply property; Wherein, described Function Identification is the display Name of function, described feature path is function of unique identification in described resource access control system, and described function apply property is differentiated in function and explained and application by described operation system after the back returns to described operation system by session.
Further, described authority decision-making module comprises function decision-making module and group filtering module; Wherein, described function decision-making module is used for determining according to the responsibility that the user is assigned with which kind of operation this user can carry out to accessed resources; Described group of filtering module is used for determining the scope that this user can accessed resources according to the management domain that the user is assigned with.
Beneficial effect of the present invention is:
The invention provides a kind of access control method and system based on responsibility and management domain, the resource access authority is licensed to the user by responsibility and management domain, make the user in inquiry, visit, use resource in the restriction that all is subjected to authority aspect function and the resource two; For the object of deriving of resource, can carry out the restriction of function and resource two aspects too.
The inventive method and system operation are easy, and cost is low, especially make the access control of mass data become practical.The inventive method and system are the system that monitoring, audit etc. relate to mass data, and particularly relevant trusteeship service provides the solution of rights management.
Description of drawings
Fig. 1 is a resource access control method schematic flow sheet of the present invention;
Fig. 2 is a resource access control system structural representation of the present invention.
Fig. 3 is a resource access control principle schematic diagram;
Fig. 4 is the resource management schematic diagram;
Fig. 5 is functional organization's schematic diagram;
Fig. 6 is the authority definition schematic diagram;
Fig. 7 is the permission grant schematic diagram.
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is described in further detail.
Resource access control method of the present invention comprises resource management step, rights management step and authority steps in decision-making, is specifically described respectively below:
The resource management step be used for the mode of resource group organize, managing controlled accessed resources; The resource management step is divided into n resource group with resource, and wherein n is a natural number.The resource group is the tissue and the way to manage of managed resource, and the resource group is with the tree tissue.The resource group itself is an abstract object, it can be extensive flexibly is polytype object, the user can set up corresponding resource model at the business model of oneself, for example business, physical location, security domain, administrative department etc., correspondingly the authorization object in licensing process also will be the object that business, physical location, security domain, administrative department these and customer service are combined closely.
The rights management step is used for giving the user who carries out resource access with right assignment.An authority is made up of a responsibility and a management domain, i.e. rights management comprises responsibility management and management domain management.Wherein, responsibility is the set of function, and which kind of operation the expression user can carry out to accessed resources.Function is not solidified, but derive from each subsystem in the operation system (such as browse, inquiry, form etc.) by function register each subsystem function is dynamically added in the general collection of function.Function is made up of three the most basic key elements: Function Identification, feature path and function apply property.Function Identification is the display Name of function, and feature path is function of unique identification in resource access control system of the present invention, and the function apply property is differentiated in function and explained and application by subsystem after the back returns to subsystem by session.Function by feature path with the tree structure tissue.When responsibility has been bound certain function A, do not select other functions when the child node of function A, represent that then this responsibility comprises all subfunctions of function A and function A.Management domain is the set of resource group, the scope that the expression user can accessed resources.Resource group of binding in management domain, the resource group adopts tree, its inherited characteristics is supported in resource access control system of the present invention, promptly this resource group and all son groups thereof are included in this management domain, the resource that resource group and son group thereof are comprised, the scope of the resource that all belongs to this management domain and comprised.What management domain comprised is not only resource (being source material), also comprises the resource object (in auditing system, resource refers to equipment, the resource daily record that object refers to that equipment produces of deriving, audit log enormous amount usually, number is in necessarily often) of deriving.The distribution of authority refers to, according to service needed, give the personnel of resource access or tissue (management domain and a responsibility be combined as an authority, a user can obtain authority such more than) with a management domain and allocation of duties, finish the distribution of authority.
The authority steps in decision-making is used for according to the authority that this user is assigned with, this user's visit being controlled when main body (user) visit object (resource).The authority steps in decision-making comprises function steps in decision-making and group filtration step.Wherein, the function steps in decision-making is used for determining according to the responsibility that the user is assigned with which kind of operation this user can carry out to accessed resources; The group filtration step is used for determining the scope that this user can accessed resources according to the management domain that the user is assigned with.
After the user landed, the authority that selection is had was set up session, will be subjected to the restriction of responsibility and management domain simultaneously when the user conducts interviews to resource.Whether at first the function steps in decision-making is obtained this user's responsibility by user's session, judge to allow this user to carry out this operation.Then, the group filtration step obtains all groups of this management domain according to the information of this user place management domain, and the resource in this group set is the actual scope that can accessed resources of this user.
Fig. 1 is a resource access control method schematic flow sheet of the present invention, and as shown in the figure, resource access control method of the present invention specifically comprises the steps:
1, definition is with the mode management resource of tree-like resource group.
Here resource comprises the object of deriving of source material and source material.
2, operation system is registered business function in the mode of registration.
3, responsibility is defined as the set of the function that obtains in the step 2, is about to the function set and is tied on the responsibility.Function has the characteristic of succession.
4, management domain is defined as the set of resource group, the set that is about to the resource group is tied on the management domain.The resource group has the characteristic of succession.
5, carry out right assignment for the personnel or the tissue of resource access a management domain and an allocation of duties.Wherein, a user can be assigned with more than one described authority.
6, definitions section strategy (being grouping strategy) is promptly set what group label which type of new resources is stamped.The group label is the important sign that authority is differentiated, and comprises the unique identification (group id) and the group policy condition code of group, and a strategy can corresponding a plurality of group policy condition codes.The group policy condition code can be quoted when responsibility defines.
7, add fashionablely as the new resource object of deriving in the resource access control system running, stamp the group label to new resources according to group policy.
8, set up session after the user logins.
9, during user access resources, at first the action of user's operation is differentiated, then the scope of its visit is filtered.
If 10 users will operate the resource or the function of different management domains, then manage the territory and switch.
Fig. 2 is the resource access control system structural representation, and Fig. 3 is a resource access control system operation principle schematic diagram, and as shown in the figure, resource access control system of the present invention comprises resource management module, authority management module and authority decision-making module.
Wherein, resource management module is used for the management to managed resource.Mode with the resource group is organized, managing controlled accessed resources; The resource group is the tissue and the way to manage of managed resource, and the resource group is with the tree tissue.In mandate and authentication process, also will make full use of tree-like feature.The resource group itself is an abstract object, it can be extensive flexibly is polytype object, the user can set up corresponding resource model at the business model of oneself, for example business, physical location, security domain, administrative department etc., correspondingly the authorization object in licensing process also will be the object that business, physical location, security domain, administrative department these and customer service are combined closely.
Resource management module also is used for according to predefined new resources grouping strategy, and the new resource object of deriving is added in the corresponding resource group.The new resources grouping strategy is the rule to new resources setting group label, promptly sets which type of new resources and stamps what group label.The group label is the important sign that authority is differentiated, and comprises the unique identification (group id) and the group policy condition code of group, is used for following authority decision-making.According to all grouping strategies, in the group label tangent plane after new resources dynamically insert inlet, give on the managed resource that increases newly and stamp the group label automatically.If one is awarded the control resource not in any grouping strategy, this resource will enter default set so; And if resource is derived object, then resource just enters in the group of this resource object.The resource object of deriving is an example with the daily record, will locate this resource place group according to the pairing resource of daily record (equipment) after receiving a daily record, can storing daily record when storage in, can preservation group label information.
Authority management module is used for the definition of authority and the distribution of authority, and the information of decision-making is provided for the authority steps in decision-making.Rights management is made up of two parts, i.e. responsibility management and management domain management.
Wherein the responsibility management is the management of the authority set of function type.Responsibility is managed by the set of the function that operation system is registered and is distributed to a responsibility, finishes the binding of responsibility and function.Function is not solidified, but derive from each subsystem in the operation system (such as browse, inquiry, form etc.) by function register each subsystem function is dynamically added in the general collection of function.Function is made up of three the most basic key elements: Function Identification, feature path and function apply property.Function Identification is the display Name of function, and feature path is function of unique identification in resource access control system of the present invention, and the function apply property is differentiated in function and explained and application by subsystem after the back returns to subsystem by session.Function by feature path with the tree structure tissue.When responsibility has been bound certain function A, do not select other functions when the child node of function A, represent that then this responsibility comprises all subfunctions of function A and function A.
Management domain refers to the set of managed resource and derivative thereof, is certain scope of resource that user or user group can be managed.
The management domain management is the management of resource collection.The management domain management is finished the binding of management domain and resource group by giving a management domain with the subset allocation of resource group, and the resource group is the least unit of management domain mandate.Resource group of binding in management domain, the resource group adopts tree, its inherited characteristics is supported in resource access control system of the present invention, promptly this resource group and all son groups thereof are included in this management domain, the resource that resource group and son group thereof are comprised, the scope of the resource that all belongs to this management domain and comprised.What management domain comprised is not only resource (being source material), also comprises the resource object (in auditing system, resource refers to equipment, the resource daily record that object refers to that equipment produces of deriving, audit log enormous amount usually, number is in necessarily often) of deriving.The distribution of authority refers to, according to service needed, give the personnel of resource access or tissue (management domain and a responsibility be combined as an authority, a user can obtain authority such more than) with a management domain and allocation of duties, finish the distribution of authority.
The authority decision-making module is used for carrying out the authority decision-making when main body (user) visit object (resource).The authority decision-making module comprises function decision-making module and group filtering module.Wherein, the function decision-making module is used for determining according to the responsibility that the user is assigned with which kind of operation this user can carry out to accessed resources; The group filtering module is used for determining the scope that this user can accessed resources according to the management domain that the user is assigned with.
After the user landed, the authority that selection is had was set up session, will be subjected to the restriction of responsibility and management domain simultaneously when the user conducts interviews to resource.Whether at first the function decision-making module obtains this user's responsibility by user's session, judge to allow this user to carry out this operation.Then, the group filtering module obtains all groups of this management domain according to the information of this user place management domain, and the resource in this group set is the actual scope that can accessed resources of this user.
Be example with the security event management system below, the inventive method is further elaborated.
Security incident may derive from various safety means, and equipment is to manage as resource, and resource access control had both comprised the access control to equipment, also comprised the access control of the security incident that equipment is produced.Usually because the security incident enormous amount, a lot of safety management platform thereby abandoned relevant access control.
In the methods of the invention, at first with the mode management equipment of tree type group.During Fig. 4 gives an actual example, carry out resource organizations, under the resource management root node, comprise two resource groups with professional visual angle, be respectively professional S1 and professional S2, comprise two resources among the professional S1, be i.e. equipment Res1 and the Res2 of system, comprise two resources among the professional S2, i.e. equipment Res3 and the Res4 of system.Resource is an important component part of access control, but is not all, and access control will comprise the relevant derivation information of resource and these resources, running status for example, running log, run case etc.With high-risk incident is example, sets up high-risk event-resources group in the drawings, does not have any resource in resource management.By the definition grouping strategy, then can define the label that the high-risk incident that produces in each equipment adds high-risk event-resources group.And define two kinds of condition codes, and a kind of is common, a kind of is secret.This condition code will be registered in the resource access control system automatically.
The function set of in resource access control system of the present invention, showing after the function register of illustrating among Fig. 5 is finished.Function represents with tree structure.The registration in the business function subsystem (such as browsing, inquiry, form etc.) function 1 and subfunction thereof are example: subsystem is the url (for example: " functional tree/function 1/ function 1.1 ", " functional tree/function 1/ function 1.2 ") with "/" symbol segmentation with its subsystem that need control arrangement, and the set of title, attribute, pass through registering functional then, the function dynamic registration of business function subsystem advances resource access control system of the present invention, represents with tree structure.Also represented the condition code " functional tree/high-risk incident/HE. is common " that defines in the grouping strategy here, and " functional tree/high-risk incident/HE. maintains secrecy ".
What illustrate among Fig. 6 is that the establishment of authority is the definition of authority.The definition of authority is divided into two parts in resource access control system of the present invention, and a part is that this part is managed by responsibility to the set of function (or action type); Another part is the delimitation to the resource and the object range of deriving thereof, i.e. management domain management.What the left side was represented in the drawings is the responsibility management, has defined two responsibilities, responsibility OD1 and secret management domain in the responsibility management.Wherein responsibility OD1 comprises that a function consolidation function 1 (this means that this responsibility comprises function 1.1 and function 1.2) and HE. are common.Wherein responsibility secret management domain comprises that function HE. maintains secrecy.Function of use sets definition responsibility can be simplified the definition of function set.Management domain then is the definition of compass of competency, the right expression in the drawings.At the root of management domain two management domains of having given a definition, management domain MD1 and management domain MD2.Distribute the professional S1 of resource group among the management domain MD1, distributed high-risk incident among the management domain MD2.
Illustrated the mode of right assignment among Fig. 7.Authority is that responsibility and management domain combine.Authority both can have been distributed to department's (or be called user group, under this department everyone will have this authority); Authority also can directly be distributed to the user.The D1 of department shown in the figure has distributed rights management territory MD1 and responsibility OD1, means that then user U1 and user U2 can both be to the resources of management domain MD1 scope, and the resource object of deriving, the authority of the OD1 that discharges duties.User U3 has distributed authority one (management domain MD1 and responsibility OD2) respectively, authority two (management domain MD2 and secret keeper).User U3 is not having associated responsibilities in the same area, in resource access control system of the present invention the user simultaneously can only be in a territory exercise the right, be that user U3 is after management domain MD1 carries out function 2.2, must manage the territory switching if want the responsibility of carrying out secret keeper at management domain MD2, if there is not other business function control, user U3 then can check in the high-risk incident of each equipment and relate to secret daily record so.
Implement the embodiment of the invention,, and the resource access authority licensed to the user by responsibility and management domain by mode management equipment with tree type group, make the user in inquiry, visit, use resource in the restriction that all is subjected to authority aspect function and the resource two.And resource access control not only comprises the access control to safety means, also comprises the access control of the security incident that safety means are produced, and makes safety management platform to realize effective access control to the magnanimity security incident.
Above-described specific embodiment, purpose of the present invention, technical scheme and beneficial effect are further described, institute it should be noted, the above only is specific embodiments of the invention, and those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of the technical scheme of claim record of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (10)
1. a resource access control method is characterized in that, comprises the steps:
Resource management step, this step are used for resource is divided into n resource group, and wherein n is a natural number;
Rights management step, this step are used for giving the user who carries out resource access with right assignment; A described authority is made up of a responsibility and a management domain; Wherein, described responsibility is the set of function, and which kind of operation the expression user can carry out to accessed resources; Described management domain is the set of described resource group, the scope that the expression user can accessed resources;
Authority steps in decision-making, this step are used for when user access resources, according to the described authority that this user is assigned with, this user's visit are controlled.
2. resource access control method according to claim 1 is characterized in that:
Described resource group is with the tree tissue.
3. resource access control method according to claim 1 is characterized in that:
In the described rights management step, a user can be assigned with more than one described authority.
4. according to claim 1,2 or 3 described resource access control methods, it is characterized in that:
Also comprise the management domain switch step, this step is used for managing the switching in territory when the user need visit different management domains.
5. a resource access control system is characterized in that, comprising:
Resource management module, this module are used for resource is divided into n resource group, and wherein n is a natural number;
Authority management module, this module are used for giving the user who carries out resource access with right assignment; A described authority is made up of a responsibility and a management domain; Wherein, described responsibility is the set of function, and which kind of operation the expression user can carry out to accessed resources; Described management domain is the set of described resource group, the scope that the expression user can accessed resources;
Authority decision-making module, this module are used for when user access resources, according to the described authority that this user is assigned with, this user's visit are controlled.
6. resource access control system according to claim 5 is characterized in that:
Described resource comprises the object of deriving of source material and source material.
7. resource access control system according to claim 6 is characterized in that:
Described resource management module also is used for, and the object of deriving for the described source material of new generation according to predefined new resources grouping strategy, adds it in corresponding described resource group.
8. according to claim 5,6 or 7 described resource access control systems, it is characterized in that:
Described function refers to the function that each operation system is registered on described resource access control system.
9. resource access control system according to claim 8 is characterized in that:
Described function comprises Function Identification, feature path and function apply property; Wherein, described Function Identification is the display Name of function, described feature path is function of unique identification in described resource access control system, and described function apply property is differentiated in function and explained and application by described operation system after the back returns to described operation system by session.
10. according to claim 5,6 or 7 described resource access control systems, it is characterized in that:
Described authority decision-making module comprises function decision-making module and group filtering module; Wherein, described function decision-making module is used for determining according to the responsibility that the user is assigned with which kind of operation this user can carry out to accessed resources; Described group of filtering module is used for determining the scope that this user can accessed resources according to the management domain that the user is assigned with.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102336926A CN101895551A (en) | 2010-07-22 | 2010-07-22 | Resource access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102336926A CN101895551A (en) | 2010-07-22 | 2010-07-22 | Resource access control method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101895551A true CN101895551A (en) | 2010-11-24 |
Family
ID=43104618
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102336926A Pending CN101895551A (en) | 2010-07-22 | 2010-07-22 | Resource access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101895551A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102158557A (en) * | 2011-04-12 | 2011-08-17 | 华中科技大学 | Security strategy decomposition and verification system in cloud storage environment |
| CN103179126A (en) * | 2013-03-26 | 2013-06-26 | 山东中创软件商用中间件股份有限公司 | Access control method and device |
| CN103188249A (en) * | 2011-12-31 | 2013-07-03 | 北京亿阳信通科技有限公司 | Concentration permission management system, authorization method and authentication method thereof |
| CN103677829A (en) * | 2013-12-13 | 2014-03-26 | 北京同有飞骥科技股份有限公司 | System and method for access control of object operations |
| CN104333553A (en) * | 2014-11-11 | 2015-02-04 | 安徽四创电子股份有限公司 | Mass data authority control strategy based on combination of blacklist and whitelist |
| CN104537488A (en) * | 2014-12-29 | 2015-04-22 | 中国南方电网有限责任公司 | Enterprise-level information system function authority unified management method |
| CN104678866A (en) * | 2013-12-03 | 2015-06-03 | 阿自倍尔株式会社 | Monitoring control system |
| CN105074720A (en) * | 2013-02-27 | 2015-11-18 | 微软技术许可有限责任公司 | Discretionary policy management in cloud-based environment |
| CN106506521A (en) * | 2016-11-28 | 2017-03-15 | 腾讯科技(深圳)有限公司 | resource access control method and device |
| CN104125219B (en) * | 2014-07-07 | 2017-06-16 | 四川中电启明星信息技术有限公司 | For authorization management method in the identity set of power information system |
| CN107506655A (en) * | 2017-08-08 | 2017-12-22 | 北京盛华安信息技术有限公司 | Data permission distributes the method with access control |
| CN107872430A (en) * | 2016-09-27 | 2018-04-03 | 成都鼎桥通信技术有限公司 | The management method and device of photovoltaic plant |
| CN110889127A (en) * | 2019-11-27 | 2020-03-17 | 广州锦行网络科技有限公司 | Infinite subset and multi-dimensional authorization privileged account access control method and device |
| CN114780300A (en) * | 2022-06-20 | 2022-07-22 | 南京云信达科技有限公司 | Backup system authority management method and system based on resource layering |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1168752A1 (en) * | 2000-06-23 | 2002-01-02 | Matra Nortel Communications | Access control in client-sever systems |
| CN101106511A (en) * | 2007-08-24 | 2008-01-16 | 上海可鲁系统软件有限公司 | A secure intercommunication method and device between two independent networks |
| CN101257377A (en) * | 2008-03-11 | 2008-09-03 | 南京邮电大学 | Dynamic access control method based on community authorisation service |
| CN101448002A (en) * | 2008-12-12 | 2009-06-03 | 北京大学 | Method and device for accessing digital resources |
| CN101771698A (en) * | 2010-01-15 | 2010-07-07 | 南京邮电大学 | Grid visit control method based on extendible markup language security policy |
-
2010
- 2010-07-22 CN CN2010102336926A patent/CN101895551A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1168752A1 (en) * | 2000-06-23 | 2002-01-02 | Matra Nortel Communications | Access control in client-sever systems |
| CN101106511A (en) * | 2007-08-24 | 2008-01-16 | 上海可鲁系统软件有限公司 | A secure intercommunication method and device between two independent networks |
| CN101257377A (en) * | 2008-03-11 | 2008-09-03 | 南京邮电大学 | Dynamic access control method based on community authorisation service |
| CN101448002A (en) * | 2008-12-12 | 2009-06-03 | 北京大学 | Method and device for accessing digital resources |
| CN101771698A (en) * | 2010-01-15 | 2010-07-07 | 南京邮电大学 | Grid visit control method based on extendible markup language security policy |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102158557A (en) * | 2011-04-12 | 2011-08-17 | 华中科技大学 | Security strategy decomposition and verification system in cloud storage environment |
| CN103188249A (en) * | 2011-12-31 | 2013-07-03 | 北京亿阳信通科技有限公司 | Concentration permission management system, authorization method and authentication method thereof |
| CN105074720A (en) * | 2013-02-27 | 2015-11-18 | 微软技术许可有限责任公司 | Discretionary policy management in cloud-based environment |
| CN105074720B (en) * | 2013-02-27 | 2018-03-30 | 微软技术许可有限责任公司 | Autonomous tactical management in environment based on cloud |
| CN103179126A (en) * | 2013-03-26 | 2013-06-26 | 山东中创软件商用中间件股份有限公司 | Access control method and device |
| CN104678866B (en) * | 2013-12-03 | 2017-09-26 | 阿自倍尔株式会社 | Supervisor control |
| CN104678866A (en) * | 2013-12-03 | 2015-06-03 | 阿自倍尔株式会社 | Monitoring control system |
| CN103677829A (en) * | 2013-12-13 | 2014-03-26 | 北京同有飞骥科技股份有限公司 | System and method for access control of object operations |
| CN103677829B (en) * | 2013-12-13 | 2016-08-17 | 北京同有飞骥科技股份有限公司 | Object Operations accesses the method controlled |
| CN104125219B (en) * | 2014-07-07 | 2017-06-16 | 四川中电启明星信息技术有限公司 | For authorization management method in the identity set of power information system |
| CN104333553A (en) * | 2014-11-11 | 2015-02-04 | 安徽四创电子股份有限公司 | Mass data authority control strategy based on combination of blacklist and whitelist |
| CN104537488A (en) * | 2014-12-29 | 2015-04-22 | 中国南方电网有限责任公司 | Enterprise-level information system function authority unified management method |
| CN107872430A (en) * | 2016-09-27 | 2018-04-03 | 成都鼎桥通信技术有限公司 | The management method and device of photovoltaic plant |
| CN106506521A (en) * | 2016-11-28 | 2017-03-15 | 腾讯科技(深圳)有限公司 | resource access control method and device |
| WO2018095406A1 (en) * | 2016-11-28 | 2018-05-31 | 腾讯科技(深圳)有限公司 | Resource access control method and device |
| CN106506521B (en) * | 2016-11-28 | 2020-08-07 | 腾讯科技(深圳)有限公司 | Resource access control method and device |
| US10757106B2 (en) | 2016-11-28 | 2020-08-25 | Tencent Technology (Shenzhen) Company Limited | Resource access control method and device |
| CN107506655A (en) * | 2017-08-08 | 2017-12-22 | 北京盛华安信息技术有限公司 | Data permission distributes the method with access control |
| CN110889127A (en) * | 2019-11-27 | 2020-03-17 | 广州锦行网络科技有限公司 | Infinite subset and multi-dimensional authorization privileged account access control method and device |
| CN114780300A (en) * | 2022-06-20 | 2022-07-22 | 南京云信达科技有限公司 | Backup system authority management method and system based on resource layering |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101895551A (en) | Resource access control method and system | |
| CN102307185B (en) | Data isolation method used in storage cloud | |
| Hu et al. | Guidelines for access control system evaluation metrics | |
| CN101997876B (en) | Attribute-based access control model and cross domain access method thereof | |
| CN109670768A (en) | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain | |
| CN101986599B (en) | Network security control method based on cloud service and cloud security gateway | |
| CN104301301B (en) | A kind of Data Migration encryption method based between cloud storage system | |
| CN106992988A (en) | A kind of cross-domain anonymous resource sharing platform and its implementation | |
| CN101453475A (en) | Authentication management system and method | |
| Gonzalez et al. | A framework for authentication and authorization credentials in cloud computing | |
| WO2009145760A1 (en) | Hierarchical administration of resources | |
| CN103763369B (en) | A kind of multiple authority distributing method based on SAN storage system | |
| De Capitani di Vimercati et al. | Private data indexes for selective access to outsourced data | |
| CN107358122A (en) | The access management method and system of a kind of data storage | |
| CN110474897A (en) | A kind of file permission management system | |
| JP2006099779A (en) | Right management | |
| CN104253810A (en) | Safe login method and system | |
| CN106101074A (en) | A kind of sacurity dispatching method based on user's classification towards big data platform | |
| CN106997440A (en) | A kind of role access control method | |
| Zheng et al. | Dynamic Role-Based Access Control Model. | |
| CN104866774B (en) | The method and system of account rights management | |
| Hasani et al. | Criteria specifications for the comparison and evaluation of access control models | |
| CN102801743B (en) | Based on the SAP security sensitive information system of multi-party authorization and dynamic password | |
| CN105335664A (en) | Permission management system based on B/S mode | |
| CN201557132U (en) | Cross-domain management device based on PKI/PMI technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wan Ke Inventor after: Zhang Li Inventor after: Hu Weihua Inventor after: Ban Xiaofang Inventor after: Yao Diezhan Inventor before: Wan Ke |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: WAN KE TO: WAN KE ZHANG LI HU WEIHUA BAN XIAOFANG YAO YIZHAN |
|
| ASS | Succession or assignment of patent right |
Owner name: CHINA INFORMATION TECHNOLOGY SECURITY EVALUATION C Free format text: FORMER OWNER: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES CO., LTD. Effective date: 20130529 Owner name: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES C Effective date: 20130529 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20130529 Address after: 100085 Building No. 8, No. 1 West Road, Beijing, Haidian District Applicant after: China Information Technology Security Evaluation Center Applicant after: Beijing heaven melts letter Science Technologies Co., Ltd. Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd. |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20101124 |